yandex-cloud · Xolog · Dec 11, 2025 · Dec 11, 2025 · nekr0z · Dec 11, 2025
diff --git a/README.md b/README.md
@@ -10,7 +10,7 @@ managed resources for [Yandex Cloud](https://cloud.yandex.com/).
 
 Install crossplane:
 
-```
+```shell
 kubectl create namespace crossplane-system
 
 helm repo add crossplane-stable https://charts.crossplane.io/stable
@@ -21,7 +21,7 @@ helm install crossplane --namespace crossplane-system crossplane-stable/crosspla
 
 Check crossplane status:
 
-```
+```shell
 helm list -n crossplane-system
 
 kubectl get all -n crossplane-system
@@ -36,16 +36,17 @@ sudo mv crossplane $(dirname $(which kubectl))
 
 Install the provider by using the following command after changing tag to the latest release:
 
-
-```
-crossplane xpkg install provider xpkg.upbound.io/yandexcloud/crossplane-provider-yc:v0.4.1
+```shell
+crossplane xpkg install provider xpkg.upbound.io/yandexcloud/crossplane-provider-yc:v0.14.0
 ```
 
+or set in .Values.provider.package
+
 ### Setup ProviderConfig
 
 Create service account:
 
-```
+```shell
 yc iam service-account create --name <service-account>
 ```
 
@@ -69,16 +70,16 @@ kubectl create secret generic yc-creds -n "crossplane-system" --from-file=creden
 
 Apply example ProviderConfig:
 
-```
+```shell
 kubectl apply -f examples/providerconfig/providerconfig.yaml
 ```
 
 ### Update crossplane-provider-yc
 
-Update provider version on new tag (e.g. v0.4.1):
+Update provider version on new tag (e.g. v0.14.0):
 
-```
-kubectl crossplane update provider crossplane-provider-yc v0.4.1
+```shell
+kubectl crossplane update provider crossplane-provider-yc v0.14.0
 ```
 
 ## Useful things

diff --git a/helm/chart/README.md b/helm/chart/README.md
@@ -162,4 +162,3 @@ image:
 [Kubernetes cluster]: https://kubernetes.io/docs/setup/
 [Minikube]: https://kubernetes.io/docs/tasks/tools/install-minikube/
 [Helm]: https://docs.helm.sh/using_helm/
-
diff --git a/helm/chart/templates/clusterrole.yaml b/helm/chart/templates/clusterrole.yaml
@@ -59,8 +59,11 @@ rules:
   - "*"
 - apiGroups:
   - apiextensions.crossplane.io
+  - ops.crossplane.io
   - pkg.crossplane.io
+  # secrets.crossplane.io removed in 2.0
   - secrets.crossplane.io
+  - protection.crossplane.io
   resources:
   - "*"
   verbs:

diff --git a/helm/chart/templates/deployment.yaml b/helm/chart/templates/deployment.yaml
@@ -57,7 +57,13 @@ spec:
       {{- end }}
       hostNetwork: {{ .Values.hostNetwork }}
       initContainers:
-        - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default (printf "v%s" .Chart.AppVersion) }}"
+        - name: {{ .Chart.Name }}-init
+          {{- if .Values.image.ignoreTag }}
+          image: "{{ .Values.image.repository }}"
+          {{- else }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default (printf "v%s" .Chart.AppVersion) }}"
+          {{- end }}
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
           args:
           - core
           - init
@@ -73,8 +79,10 @@ spec:
           - --function
           - "{{ $arg }}"
           {{- end }}
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
-          name: {{ .Chart.Name }}-init
+          {{- range $arg := .Values.provider.defaultActivations }}
+          - --activation
+          - "{{ $arg }}"
+          {{- end }}
           resources:
             {{- toYaml .Values.resourcesCrossplane | nindent 12 }}
           {{- with .Values.securityContextCrossplane }}
@@ -125,16 +133,24 @@ spec:
             value: crossplane-tls-server
           - name: "TLS_CLIENT_SECRET_NAME"
             value: crossplane-tls-client
+          {{- range $key, $value := .Values.extraEnvVarsCrossplaneInit }}
+          - name: {{ $key | replace "." "_" }}
+            value: {{ $value | quote }}
+          {{- end}}
       containers:
-      - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default (printf "v%s" .Chart.AppVersion) }}"
+      - name: {{ .Chart.Name }}
+        {{- if .Values.image.ignoreTag }}
+        image: "{{ .Values.image.repository }}"
+        {{- else }}
+        image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default (printf "v%s" .Chart.AppVersion) }}"
+        {{- end }}
         args:
         - core
         - start
         {{- range $arg := .Values.args }}
         - {{ $arg }}
         {{- end }}
         imagePullPolicy: {{ .Values.image.pullPolicy }}
-        name: {{ .Chart.Name }}
         resources:
           {{- toYaml .Values.resourcesCrossplane | nindent 12 }}
         startupProbe:

diff --git a/helm/chart/templates/providerconfig.yaml b/helm/chart/templates/providerconfig.yaml
@@ -7,6 +7,25 @@ type: Opaque
 data:
   credentials: {{ .Values.providerJetYc.creds | default "" | b64enc }}
 ---
+{{- if .Value.provider.config.new_api }}
+apiVersion: yandex-cloud.m.jet.crossplane.io/v1beta1
+kind: ProviderConfig
+metadata:
+  annotations:
+    upjet.upbound.io/manual-intervention: Namespaced ProviderConfig for Crossplane v2 with local secret references.
+    "helm.sh/resource-policy": keep
+  name: {{ .Values.providerJetYc.providerName }}-v2
+spec:
+  credentials:
+    cloudId: {{ .Values.providerJetYc.cloudId }}
+    folderId: {{ .Values.providerJetYc.folderId }}
+    endpoint: {{ .Values.providerJetYc.endpoint }}
+    secretRef:
+      key: credentials
+      name: {{ .Values.providerJetYc.secretName }}
+      namespace: {{ .Release.Namespace }}
+    source: Secret
+{{ else }}
 apiVersion: yandex-cloud.jet.crossplane.io/v1alpha1
 kind: ProviderConfig
 metadata:
@@ -21,18 +40,8 @@ spec:
       namespace: {{ .Release.Namespace }}
       key: credentials
     endpoint: {{ .Values.providerJetYc.endpoint }}
----
-apiVersion: pkg.crossplane.io/v1
-kind: Provider
-metadata:
-  name: provider-jet-yc
-  namespace: {{ .Release.Namespace }}
-  annotations:
-    "helm.sh/resource-policy": keep
-spec:
-  package: {{ .Values.providerJetYc.package }}
-  runtimeConfigRef:
-    name: yc-pod-security
+{{- end }}
+# ! Delete provider because value .Values.provider.packages can install it
 ---
 apiVersion: pkg.crossplane.io/v1beta1
 kind: DeploymentRuntimeConfig
@@ -63,10 +72,9 @@ spec:
           volumes:
             - name: internal-root-ca
               secret:
-              defaultMode: 420
-              secretName: {{ .Values.internalRootCaSecretName }}
-              items:
-                - key: internal-root-ca
-                  path: ca-certificates.crt
+                defaultMode: 420
+                secretName: {{ .Values.internalRootCaSecretName }}
+                items:
+                  - key: internal-root-ca
+                    path: ca-certificates.crt
             {{ end }}
-
diff --git a/helm/chart/templates/rbac-manager-allowed-provider-permissions.yaml b/helm/chart/templates/rbac-manager-allowed-provider-permissions.yaml
@@ -11,4 +11,4 @@ aggregationRule:
   clusterRoleSelectors:
   - matchLabels:
       rbac.crossplane.io/aggregate-to-allowed-provider-permissions: "true"
-{{- end}}
+{{- end}}
diff --git a/helm/chart/templates/rbac-manager-clusterrolebinding.yaml b/helm/chart/templates/rbac-manager-clusterrolebinding.yaml
@@ -14,4 +14,4 @@ subjects:
 - kind: ServiceAccount
   name: rbac-manager
   namespace: {{ .Release.Namespace }}
-{{- end}}
+{{- end}}
diff --git a/helm/chart/templates/rbac-manager-deployment.yaml b/helm/chart/templates/rbac-manager-deployment.yaml
@@ -52,12 +52,16 @@ spec:
       runtimeClassName: {{ .Values.runtimeClassName | quote }}
       {{- end }}
       initContainers:
-      - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default (printf "v%s" .Chart.AppVersion) }}"
+      - name: {{ .Chart.Name }}-init
+        {{- if .Values.image.ignoreTag }}
+        image: "{{ .Values.image.repository }}"
+        {{- else }}
+        image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default (printf "v%s" .Chart.AppVersion) }}"
+        {{- end }}
         args:
         - rbac
         - init
         imagePullPolicy: {{ .Values.image.pullPolicy }}
-        name: {{ .Chart.Name }}-init
         resources:
           {{- toYaml .Values.resourcesRBACManager | nindent 12 }}
         {{- with .Values.securityContextRBACManager }}
@@ -78,7 +82,12 @@ spec:
                 resource: limits.memory
                 divisor: "1"
       containers:
-      - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default (printf "v%s" .Chart.AppVersion) }}"
+      - name: {{ .Chart.Name }}
+        {{- if .Values.image.ignoreTag }}
+        image: "{{ .Values.image.repository }}"
+        {{- else }}
+        image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default (printf "v%s" .Chart.AppVersion) }}"
+        {{- end }}
         args:
         - rbac
         - start
@@ -87,7 +96,6 @@ spec:
         {{- end }}
         - --provider-clusterrole={{ template "crossplane.name" . }}:allowed-provider-permissions
         imagePullPolicy: {{ .Values.image.pullPolicy }}
-        name: {{ .Chart.Name }}
         resources:
           {{- toYaml .Values.resourcesRBACManager | nindent 12 }}
         {{- if .Values.metrics.enabled }}

diff --git a/helm/chart/templates/rbac-manager-managed-clusterroles.yaml b/helm/chart/templates/rbac-manager-managed-clusterroles.yaml
@@ -111,6 +111,14 @@ rules:
 - apiGroups: [apiextensions.k8s.io]
   resources: [customresourcedefinitions]
   verbs: [get, list, watch]
+- apiGroups:
+    - protection.crossplane.io
+  resources: ["*"]
+  verbs: ["*"]
+- apiGroups:
+    - ops.crossplane.io
+  resources: ["*"]
+  verbs: ["*"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -147,6 +155,14 @@ rules:
   - secrets.crossplane.io
   resources: ["*"]
   verbs: ["*"]
+- apiGroups:
+    - protection.crossplane.io
+  resources: ["*"]
+  verbs: ["*"]
+- apiGroups:
+    - ops.crossplane.io
+  resources: ["*"]
+  verbs: ["*"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -178,6 +194,14 @@ rules:
   - secrets.crossplane.io
   resources: ["*"]
   verbs: [get, list, watch]
+- apiGroups:
+    - protection.crossplane.io
+  resources: ["*"]
+  verbs: [get, list, watch]
+- apiGroups:
+    - ops.crossplane.io
+  resources: ["*"]
+  verbs: [get, list, watch]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -199,74 +223,6 @@ rules:
   - apiextensions.crossplane.io
   resources: ["*"]
   verbs: [get, list, watch]
-{{- if .Values.rbacManager.managementPolicy }}
----
-# The below ClusterRoles are aggregated to the namespaced RBAC roles created by
-# the Crossplane RBAC manager when it is running in --manage=All mode.
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ template "crossplane.name" . }}:aggregate-to-ns-admin
-  labels:
-    rbac.crossplane.io/aggregate-to-ns-admin: "true"
-    rbac.crossplane.io/base-of-ns-admin: "true"
-    app: {{ template "crossplane.name" . }}
-    {{- include "crossplane.labels" . | indent 4 }}
-rules:
-# Crossplane namespace admins have access to view events.
-- apiGroups: [""]
-  resources: [events]
-  verbs: [get, list, watch]
-# Crossplane namespace admins may need to read or otherwise interact with
-# resource claim connection secrets.
-- apiGroups: [""]
-  resources: [secrets]
-  verbs: ["*"]
-# Crossplane namespace admins have access to view the roles that they may be
-# able to grant to other subjects.
-- apiGroups: [rbac.authorization.k8s.io]
-  resources: [roles]
-  verbs: [get, list, watch]
-# Crossplane namespace admins have access to grant the access they have to other
-# subjects.
-- apiGroups: [rbac.authorization.k8s.io]
-  resources: [rolebindings]
-  verbs: ["*"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ template "crossplane.name" . }}:aggregate-to-ns-edit
-  labels:
-    rbac.crossplane.io/aggregate-to-ns-edit: "true"
-    rbac.crossplane.io/base-of-ns-edit: "true"
-    app: {{ template "crossplane.name" . }}
-    {{- include "crossplane.labels" . | indent 4 }}
-rules:
-# Crossplane namespace editors have access to view events.
-- apiGroups: [""]
-  resources: [events]
-  verbs: [get, list, watch]
-# Crossplane namespace editors may need to read or otherwise interact with
-# resource claim connection secrets.
-- apiGroups: [""]
-  resources: [secrets]
-  verbs: ["*"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ template "crossplane.name" . }}:aggregate-to-ns-view
-  labels:
-    rbac.crossplane.io/aggregate-to-ns-view: "true"
-    rbac.crossplane.io/base-of-ns-view: "true"
-    app: {{ template "crossplane.name" . }}
-    {{- include "crossplane.labels" . | indent 4 }}
-rules:
-# Crossplane namespace viewers have access to view events.
-- apiGroups: [""]
-  resources: [events]
-  verbs: [get, list, watch]
-{{- end }}
+# remove rbac management policy because dont have value for this
 {{- end }}
 {{- end }}
diff --git a/helm/chart/templates/rbac-manager-serviceaccount.yaml b/helm/chart/templates/rbac-manager-serviceaccount.yaml
@@ -13,4 +13,4 @@ imagePullSecrets:
 - name: {{ $secret }}
 {{- end }}
 {{- end }}
-{{- end}}
+{{- end}}
diff --git a/helm/chart/templates/secret.yaml b/helm/chart/templates/secret.yaml
@@ -40,4 +40,4 @@ kind: Secret
 metadata:
   name: crossplane-tls-client
   namespace: {{ .Release.Namespace }}
-type: Opaque
+type: Opaque
diff --git a/helm/chart/templates/serviceaccount.yaml b/helm/chart/templates/serviceaccount.yaml
@@ -16,4 +16,4 @@ imagePullSecrets:
 - name: {{ $secret }}
 {{- end }}
 {{ end }}
-{{- end }}
+{{- end }}
diff --git a/helm/template/chart/Chart.yaml b/helm/template/chart/Chart.yaml
@@ -1,5 +1,5 @@
 apiVersion: v1
-appVersion: ${IMAGE_TAG}
+appVersion: ${IMAGE_TAG}  # 2.1.3
 description: Crossplane is an open source Kubernetes add-on that enables platform
   teams to assemble infrastructure from multiple vendors, and expose higher level
   self-service APIs for application teams to consume.
Original file line number	Diff line number	Diff line change
Expand Up		@@ -162,4 +162,3 @@ image:
		[Kubernetes cluster]: https://kubernetes.io/docs/setup/
		[Minikube]: https://kubernetes.io/docs/tasks/tools/install-minikube/
		[Helm]: https://docs.helm.sh/using_helm/